Currently in Laravel there a lot of functions that automatically serialize and deserialize data transparently. For example, some functions that do this are:
Cache functions
Encryption functions
I've discovered quite a few vulnerabilities in laravel based projects where chaining certain mistakes in code can result in compromise. While this isn't a specific issue with laravel, it is an issue with userland code.
I would propose allowing, either by config or argument, to be able to set the allowed_classes for deserialization.
Currently in Laravel there a lot of functions that automatically serialize and deserialize data transparently. For example, some functions that do this are:
I've discovered quite a few vulnerabilities in laravel based projects where chaining certain mistakes in code can result in compromise. While this isn't a specific issue with laravel, it is an issue with userland code.
I would propose allowing, either by config or argument, to be able to set the
allowed_classes
for deserialization.Thoughts/comments welcome.